Compliance programmes for financial services firms in USA

Compliance programmes

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

The Banking Regulators, who act as prudential supervisors, are focused on monitoring the safety and soundness of depository institutions and their holding company system in a comprehensive manner. Thus, the Banking Regulators expect supervised institutions to adopt an effective risk-management programme that manages compliance risk alongside the other risks present in an institution’s business. As a general matter, the Banking Regulators expect that a regulated institution’s risk-management programme will reflect its size, resources and complexity, and will be proportionate to the risks present in its business.

No matter the size of the entity, an effective compliance programme for entities subject to the Banking Regulators’ supervision will include, among others, adequate policies and procedures to safeguard and manage assets; a clear organisational structure that establishes responsibility for monitoring adherence to established policies; controls that facilitate effective assessment of risks; and an internal audit system.

The Markets Regulators have similar requirements for the content of their regulated entities’ compliance programmes, although the precise expectations may depend on the type of regulated entity. In general, the Markets Regulators, either directly or through SRO rules, require their regulated institutions to:

• adopt and implement written policies and procedures reasonably designed to prevent violations of applicable law;
• periodically review the adequacy and effectiveness of such policies and procedures; and
• designate a chief compliance officer to administer such policies and procedures.

How important are gatekeepers in the regulatory structure?

The national financial services authorities place great emphasis on internal gatekeepers, such as chief compliance officers (CCOs), internal auditors, risk-management personnel and others who have a general obligation to identify and prevent potential misconduct.

As discussed above, regulatory expectations for risk management in depository institutions vary depending on a regulated institution’s size, resources and complexity. Currently, national banks and federal thrifts with more than US$50 billion in consolidated assets are expected to implement a ‘three lines of defence’ risk-management programme, which requires the business line to assume first-line responsibility for compliance, an independent risk-management function headed by a chief risk executive (second line), and an independent audit function headed by a chief audit executive (third line). In this structure, the chief risk executive and chief audit executive have unrestricted access to the institution’s board of directors. In large institutions, the second and third lines of defence are crucial for monitoring and assessing the institution’s activities, as well as recommending areas for improvement. The Banking Regulators often look to second- and third-line reports as part of their own examination processes.

The Markets Regulators similarly place great emphasis on internal gatekeepers. Since the financial crisis, regulations have assigned additional responsibilities and increasing accountability to such personnel through periodic certifications. For example, the CFTC adopted a rule requiring CCOs of FCMs and swap dealers to take reasonable steps to ensure compliance with applicable rules, and prepare and sign an annual report that (i) provides an assessment of the effectiveness of the firm’s policies and procedures, and (ii) describes any material non-compliance issues identified and the corresponding action taken. This report must also include a certification by the CCO or chief executive officer that the information contained in the annual report is accurate and complete in all material aspects. Markets Regulators also view their regulated institutions as themselves acting as gatekeepers to the industry, and in some cases expect them to surveil for and prevent misconduct by third parties using their services.

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

State corporate laws and common law generally govern the duties of the directors of US corporations, including financial services firms. Directors are ultimately responsible for the overall direction and strategy of the firm. A board carries out this responsibility primarily by selecting, retaining and overseeing the firm’s managers, who direct daily operations. The board retains, however, the responsibility to evaluate and approve major decisions in the life of the firm.

When carrying out their responsibilities, directors of a US corporation owe the firm and its stockholders certain fiduciary duties, namely, the duties of care and loyalty. The duty of care generally requires directors to act with the care that a reasonably prudent person in a like position would use under similar circumstances. The duty of loyalty generally requires directors to act in good faith and in the best interests of the firm and its stockholders (and not for their own interests). In general, the business judgment rule applies to protect directors from judicial second-guessing when they have acted on an informed basis, in good faith and in the honest belief that the action was taken in the best interests of the company.

Bank directors may be held to a heightened standard with regard to these fiduciary duties, as courts have found that they must be concerned with the welfare of depositors as well as stockholders.

In addition to these general corporate responsibilities, the Banking and Markets Regulators have issued rules and guidance outlining specific responsibilities of boards of directors of financial institutions, which can be extensive.

When are directors typically held individually accountable for the activities of financial services firms?

Directors of financial services firms may be held individually liable (to shareholders or the applicable regulator) if they breach their fiduciary duties; however, as described above, the business judgment rule applies to protect directors from judicial second-guessing when they have acted on an informed basis, in good faith and in the honest belief that the action was taken in the best interests of the company.

In addition to being held accountable for breaches of fiduciary duties, directors of depository institutions could be subject to enforcement actions brought by the Banking Regulators for violating federal banking laws or engaging in unsafe or unsound practices, with the degree of the penalty - and the likelihood of an enforcement action - heightened depending on the director’s mens rea and the extent of the consequential loss to the bank or pecuniary gain or benefit to the director. In addition, if a director of a national bank knowingly violates, or knowingly permits officers or agents of a bank to violate, federal banking laws, the bank could be dissolved and the director could be held liable in a personal and individual capacity for all damages that the bank, its shareholders or others may have sustained as a consequence of the violation.

Directors of financial services firms that are regulated by the Markets Regulators are considered to be ‘control persons’ and, as a result, may be held personally liable for the acts of the controlled entity if he or she failed to act in good faith or otherwise knowingly induced or engaged in the acts constituting the violation.

Do private rights of action apply to violations of national financial services authority rules and regulations?

Whether a private right of action would or likely could exist for a violation of a national financial services authority statute or rule depends on the particular statute or rule at issue and how courts have interpreted them. Generally, a private right of action is available only where such a right is provided for in the statute or rule that is alleged to have been violated. Even where a private right of action is not specifically enumerated in a statute or rule, courts have occasionally found private rights of action to be implied based on legislative intent and other factors. Most financial services authority rules and regulations, however, have not been found to carry private rights of action.

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

The standard of care that applies when dealing with retail customers varies by the type of financial services firm and, in some cases, the particular capacity in which the financial services firm is servicing the customer.

Depository institutions must take care not to engage in unfair, deceptive or abusive acts or practices (UDAAPs) in any interaction with retail customers. These terms have been interpreted by the Banking Regulators, the CFPB and courts, which have developed tests for determining if an activity rises to the level of a UDAAP. The Banking Regulators only have the power to take action against depository institutions that conduct unfair or deceptive acts or practices. The CFPB has the full complement of powers and can take action against unfair, deceptive or abusive acts or practices. There are also a multitude of laws and regulations that relate to the delivery of specific products and services by depository institutions, many of which are designed to protect the consumer.

Generally, depository institutions are not subject to fiduciary duties with regard to retail customers, unless they are acting in a fiduciary capacity (eg, a trustee or executor), in which case, state law governing duties owed by a fiduciary or, in some cases, federal law, may apply.

SEC-registered investment advisers are deemed fiduciaries under the Advisers Act and must accordingly comply with the duties of loyalty and care when interacting with all of their customers, including retail customers. The SEC and courts have interpreted these fiduciary duties as requiring investment advisers to act with utmost good faith in the best interests of their clients, make full and fair disclosure of all material facts, and employ all reasonable care to avoid misleading clients. The Advisers Act imposes further limitations on an investment adviser’s dealings with customers.

Broker-dealers are generally not considered fiduciaries, although they nevertheless are subject to a duty of fair dealing. This duty is derived from common law agency principles and the anti-fraud provisions of the federal securities laws, and is also reflected in SRO rules. For example, FINRA requires its member broker-dealers to observe high standards of commercial honour and just and equitable principles of trade. In addition, broker-dealers must comply with other requirements that affect how they interact with customers, including:

• suitability requirements, which generally require broker-dealers to recommend only those specific investments or overall investment strategies that are suitable for their customers; and
• the duty of best execution, which generally requires broker-dealers to seek to obtain the most favourable terms available under the circumstances for their customer orders.

Does the standard of care differ based on the sophistication of the customer or counterparty?

Banks acting as fiduciaries and SEC-registered investment advisers must exercise their fiduciary duties, including the duties of loyalty and care, no matter the sophistication of the customer or client. The standards for satisfying their fiduciary duties, however, may become more stringent as the sophistication decreases, as care that is reasonable when dealing with an institutional investor may not be reasonable when dealing with a retail customer.

Other aspects of US financial services rules and regulations may apply differently depending on the characteristics of a customer that serve as a proxy for sophistication. For example, a broker-dealer recommending a security to an ‘institutional account’ is exempted from its obligation to conduct a customer-specific suitability analysis provided specified conditions are met.

How are rules that affect the financial services industry adopted? Is there a consultation process?

The Banking and Markets Regulators are federal agencies and, thus, are subject to the US Administrative Procedure Act (APA), which sets out the process by which agencies may promulgate rules. These agencies generally use the APA’s notice-and-comment process to promulgate rules pursuant to either their general statutory rulemaking power, or an express statutory directive.

To initiate the notice-and-comment process, the agencies issue a notice providing the public a draft of a proposed rule and explaining the statutory authority and purposes for that rule. The public is given a period of time - typically 60 to 90 days - to review and comment on the proposed rule. Agencies may also meet with financial institutions or trade associations to discuss the proposed rule and comment letters.

After considering the comments submitted, the regulators may issue final rules, which typically become effective 60 days to one year after the final rule is issued. Any person with standing to challenge the rule in court may do so on certain stipulated grounds, including by bringing a claim that the agency acted in an arbitrary and capricious manner. SRO rulemaking is also indirectly subject to the APA. For example, FINRA rules must be approved by the SEC, and therefore the SEC promulgates these proposed SRO rules for notice and comment before they may take effect.